Menu

Tuesday, 11 September 2018

Microsoft has been introducing useful innovations in Office suite, making it easier to use, providing a better "user-experience" and trying to make this product increasingly open to various data sources.

Let's talk about Microsoft
Power Query feature. This add-in for Microsoft Excel helps to improve business intelligence experience in self-service mode, simplifying collaboration, discovery and access to data from a wide range of sources, OData, Web, Hadoop and more[1].

Importing data from a web page in a tabular way has never been so simple (see Microsoft example[2]). Furthermore, it is possible to save and / or export the query within a specific file having the extension “.iqy”.

In order to offer the chance to better understand what we are talking about, the image on the left shows the icon of the file containing the query of the data will be imported and in the right image the contents of the file.

Cyber ​​Criminals have been able to exploit this feature for them self and using these files as attachment to Phishing emails.

What has been said is the most up-to-date I can be and to support this I am quoting the Palo Alto analysis[3], about the new threat actor group "darkhydrus" that targeted middle east government.

In July 2018 Cyber ​​Threat Intelligence Team of Palo Alto, known as the “Unit 42”,
nalyzed a cyber attack where its peculiarity is hidden behind the use of a particular type of file attached to spear-phishing emails. Inside a password-protected RAR archives there was a Microsoft Power Query file (.iqy).

To demonstrate how is easy for an attacker to exploit this Microsoft's feature, a simulation will be made, rebuilding an attack that using Microsoft Power Query files.

The image below is a reconstruction of how a phishing mail would present itself to the recipients.

Double click on the file it will run Microsoft Excel.

An alert will inform the user of a potential security issue.

This kind of alert may seem unusual, also for a newbie user.
Attackers always know how to improve their capabilities, so they have come up with a new way to create documents that do not suspect users and that an analysis of security systems are legal, even if they conceal malicious artifacts to download and run fraudulent content.

Microsoft offers the opportunity to save files in Excel format that contain within them the web query, and therefore the content of the ".iqy" file.

Attackers understood that this way will make the documents attached to the mail much more credible than before.

ATTACK SIMULATION

In order to demonstrate the potentiality of this attack, a small script was created to execute the calculator, saved in a ".dat" file. Finally, this file was uploaded to a remote server and the path was imported into an Excel file via Microsoft Power Query.

Below is an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

As you can see from the image below, the email is quite credible. The attached Excel file, in turn, has no fraudulent content because the URL contained within it is a component of the Microsoft
Power Query feature.

A reconstruction of how the phishing mail is presented to the recipients.

When opening the "test.xlsx" file, a security warning will be displayed to inform the user that the file has disabled content.
This could trigger an alarm bell for the user. Cyber criminals know that users may notice that this is an evil email, for this reason in targeted phishing campaigns, emails "mimics" to come from a colleague's mail box or external entities with whom the target has a frequent business relationship.
In this case the victim will be more inclined to underestimate the alert displayed and to enable the content.

The image above shows how the file looks after its execution. It is useful to point out to the reader that the excel sheet to the view does not present anything that could make one think of fraudulent contents hidden inside it.
The text “#RIF!”,
located inside cell A1, in some way could lure the user to think that the empty sheet and the text string “#RIF!” Is a problem caused by the deactivated contents.
In the following image we can see that, by enabling the contents, a second alert signals to the user that another application will be executed.

By clicking on the "Yes" button, the attack take place and the calculator will be started on the victim system.

In order to demonstrate the pervasiveness that this attack may have, the script created previously has been published on pastebin, then the same procedure was followed, including the URL of the "paste", using Microsoft Power Query into an Excel file.

Above is an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

The result was not good! The script has been read and calc.exe application has been executed.

Further tests were done by publishing the same script inside HTML web page and into a blog, the result was the same.
The content of the scripts was read and executed by Microsoft
Power Query.

It should be noted that while sites like pastebin may be blocked by corporate URL filtering systems, other sites, having a high reputation, are not and therefore the risk of an infection starts to rise.

The most effective system to prevent cyber attacks remain awareness and information sharing. The user is the weak link in the chain, the one who, if he has had a training based on a structured awareness program, could block an intrusion by identifying those that are the newest and most refined social engineering techniques.

We need to train employees and managers in order to make them conscious and aware about all emails coming from outside.

Monday, 14 May 2018

This
story started one year ago, when I went to MakerFair in Rome, an event created bt Make magazine to celebrate arts, crafts, engineering, science projects and the Do-It-Yourself (DIY) mindset.

There, my eyes has been catched by the Magic Mirror, a mix between a mirror and a
computer. I asked a lot of information regarding the object and I remember I
thought: "I want to build one of this by myself"

During
my way home was impossible for me to forgot that object. Arrived at home I
switched on my computer and I started to googling how to build it. I was very
busy at those time, so I read a lot and stored everything in my mind in order
to use this information in the future.

At
the end of the last year I went back to my open projects and I
decided to complete it.

First
of all I jot down in a paper every component i needed.

1 Raspberry Pi 3

1
Monitor HDMI, LCD or Led between 15 and 19 inc.

1 Magic Mirror Software (to develop)

1 Plexiglas
tails

Mirror's film

...and
something useful to use like a minor

I
made some research and at the end I decided to use Android as OS because I am very able to develop apps for this environment, so everything would have been faster.

So, I found a good custom Android ROM and I installed it in the Raspberry Pi 3.

I decided which features I'd like to have in my Magic Mirror and I
started developing and Android's App for my Magic Mirror.

I decided, as base, to have the time, date, icon weather and relative temperature degrees. Then I decided to add a services to have the daily news.

In the meantime looked for a HDMI monitor that could fit well with my goal.
I found and bougth it and when I finished Magic Mirror app has been the time to test it.

The result looks like pretty good.
The next step was to dismantle the monitor's plastic cover in order to kepp only the panel.
I did it and then I measured its size in order to buy the plexiglass sheet.

I found a plexiglas sheet bigger than I need, so I have to cut the it.
But this task has not been the most difficult part...the hardest has been to apply the mirror's film in the best way as possible.

Of course, I have not been able to do the best job ever and as you can see there are some little bubbles.
The next step has been to fix the plexiglas with the monitor and this has been very easy thanks to the film cut longer than the need.

At the end this is the result! Me and my girlfriend mirrored into the Migic Mirro! :)

The last step was to have a suitable and beautiful frame for the Magic...and voilà the frame!!

There you can see the back of the Magic Mirror, with the monitor, its switch, the Raspberry and part of the cables.

At the end, this is my Magic Mirror!

Next steps? Integrate it with a microphone, a speaker and Google Assistant!

Friday, 12 January 2018

In the recent weeks we are more and more often reading news that talks about attacks that exploit DDE technology, Botnets that exploit the DDE attack, Ransomware that are distributed via DDE attack and so on.
Well, this is the right time to clarify this technology and this new attack way.

Let's start from the basics, what is DDE?
DDE, which stands for Dynamic Data Exchange, it is an interprocess communication system (IPC) introduced for the first time in 1987 with Windows 2.0.
This technology and its functionality have been largely supplanted by OLE - Object Linking and Embedding. However, DDE is still used due to its simplicity.

Like macros, DDE is a legitimate feature of Microsoft Office and allows to share a set of data between applications. For example, you could create a Word document linked to an Excel document so that the data in the first one will be updated automatically whenever are you changing Excel spreadsheet data.

In which way this attack is bring out?
Performing a DDE attack is very simple. Just add the string {DDEAUTO} to call the DDE feature, , in the text of a Microsoft Word document, followed by the command you want to run, all within the braces.

Can it be used only in Office documents?
No, not only Microsoft Office documents.
This attack can also pull off via Outlook, by sending an email, an email or an appointment, known as "calendar" in company jargon.

Now we are going to create a formatted content using Microsoft Outlook's "Rich Text Format" (RTF) and insert the malicious code inside it and save it as email. Next step will be to attach this one to the email we'd like to send, write a a title and a text to attracting victim's attention and push it to open it.

What can you do with this attack?

In which DDE attack would be used:

to send a computer in Denial Of Service (DOS) by running countless instances of a specific software until the available resources are saturated;

running software or scripts that could give full control of the computer to the attacker;

download malware to use to exfiltrate data.

How to recognize fraudulent content?
When you are opening the file, a warning message is showed to you. It is warning yo that the file has an external contents and asks for confirmation to continue.

If your chiose has been "YES", a new message will be displayed asking if you want to run a specified application. The in example below the command / application quoted is "cmd.exe".

However, it should be noted that the information concerning the execution of the command can be hidden or omitted by editing the syntax of the malicious code.

How to defend yourself?
When the warning message realated external contents has popped out, clicking "No" block the attack attempted.

You can also defend yourself better by changind setting and display all messages in text format.
However, this workaround involves the deactivation of all formatting, colors and images from all incoming e-mails and consequently some contents could not be rendered.

Why this new attack?
Cyber criminals are starting to use DDE technology because it is different from macro and because they are always looking for new ways to mislead the victim.
For years we are witnessing attacks based on the macro but fortunately you can disable this technology and therefore prevent malicious content from being automatically performed when the file is opened.
This new way, though it has some limits dictated by the interaction with the user, could lead an untrained or careless person to think that it is an error that occurred due some file's errors.
In the last weeks this new attack way has grown exponentially thanks to the fact that you do not have to send attached to the email documents of Microsoft Office or PDF, but just attach another email or a "calendar".

Please note, this article was created in the end of October 2017, but only at this time I have been able to publish it.

Shellcode Analysis:

"Crontab" option "-r" is present only in some Linux distro like Debian, Centos and Redhat. I can image that this malware is focused to Linux distro quoted above.

Third line of shellcode get seconds and transform them in days from 1970, then store them in a variable named"days".

Sum the value 983 to "days" variable and assign this value to variable named"days2".

Then "days" variable will have the first 10 elements of MD5's digest of "days2" .

Into shellcode's snippet reported below it is listing processes and concatenate other commands like xargsand awk.

The last one searches files that have text that match the pattern, when a line or text matches, awk performs a specific action on that line/text. In this case concatenating "print $2", it return the second item (proces' ID) and then kill it.

Using command "pkill -f", shellcode kills processes which matches the pattern for any part of the command line

This shellcode's snippet is used to kill any others miner that had infected the machine, in order to be the only one to use it.

"DoMiner" function using Curl command download into "tmp" folder a file image JPG named "car-498167.jpg" from website "imagehousing[dot]com" and rename this image with "days" variable's value.

Then skips the first 2931 byte and save it again.

After this task file's permission is changed with execution privileges and in the end it use "nohup" command line-utility which allows to run command/process or shell script that can continue running in the background after you logout from a shell.

Sleep and then remove everyone file with name "days" and "daybefore".

NOTE: No part of source code file named "daybefore.jpg" has been created. Only a variable was created using this name.

Why put this shellcode line? Are there typographical error?

Carry on downloading image file "car-498167.jpg" using browser. It looks like the first one.

A quick analysis shows that it doesn't contains evil shellcode or evil artifacts, but I discovered a very interesting information.

As you can read, it is packed with UPX packer, version 3.91.

I create a bash script in order execute it in debug mode, download image and skip 2931 byte as wrote into source code.

Below you can see my bash script and its result in terms of files.

Note:"12days" and "13days" are names that personally I decided to appoint to this images.

Above you can see both file, the first one (the image file) and the second one (executable file) that is the first one without 2931 bytes. Below you can take a look to the files size.